Windows Encrypted File System

Windows can encrypt files on an EFS volume by file, by directory, or by the entire volume. Encryption is done using a certificate. The certificate itself is saved on the encrypted volume, but it is encrypted with a password. Volumes can be configured so that they can be recovered using one of several certificates — for example, a recovery certificate belonging to the organization that owns the computer.

Contents

How it works

The first time EFS is used Windows creates a symmetric File Encryption Key (FEK). Windows then creates an RSA public/private key pair that is used to encrypt the FEK. The private key is then encrypted with a hash of the user's passphrase and username. The FEK can also be encrypted with the organization's public key. Microsoft calls this second key a "Recovery Agent".

In Windows 2000 the computer's administrator is the default recovery agent and can decrypt all files encrypted with EFS.